WEBVTT 1 00:00:00.080 --> 00:00:03.520 Welcome to the deep dive. We're here to really crack 2 00:00:03.600 --> 00:00:06.320 open some dense source material and bring you the insights 3 00:00:06.320 --> 00:00:06.960 that matter. 4 00:00:06.799 --> 00:00:09.119 Most things you can actually use exactly. 5 00:00:09.480 --> 00:00:13.679 And today we're plunging right into the heart of digital security. 6 00:00:13.880 --> 00:00:15.599 Network vulnerability assessment. 7 00:00:15.759 --> 00:00:18.039 Yeah, it's a big one. Technology is moving so fast, 8 00:00:18.199 --> 00:00:19.559 everything's connected. 9 00:00:19.199 --> 00:00:22.960 Which means organizations are just well more vulnerable than ever, right, 10 00:00:23.320 --> 00:00:26.000 and knowing how to secure that digital front line. It 11 00:00:26.039 --> 00:00:28.039 isn't just for the IT pros anymore. You need to 12 00:00:28.120 --> 00:00:31.800 understand this stuff too, absolutely, So our mission for this 13 00:00:31.879 --> 00:00:35.399 deep dive is simple, give you a crystal clear understanding 14 00:00:35.399 --> 00:00:39.320 of what network vulnerability assessment really is, why it's so crucial, 15 00:00:39.799 --> 00:00:43.920 and how the pros actually find and fix those security loopholes. 16 00:00:44.039 --> 00:00:47.359 We're drawing on that source you provided, Network Vulnerability Assessment 17 00:00:47.479 --> 00:00:48.880 by Saga Rahalcar. 18 00:00:49.119 --> 00:00:51.439 That's the one, and by the end you should have 19 00:00:51.439 --> 00:00:54.280 a really solid framework for the whole process, from the 20 00:00:54.280 --> 00:00:57.960 basic ideas right through to advanced techniques and what happens 21 00:00:58.000 --> 00:01:01.799 after the assessment, all without getting being sort of bogged 22 00:01:01.799 --> 00:01:02.479 down in jargon. 23 00:01:02.759 --> 00:01:05.359 Right, And like you said, this isn't just super technical stuff. 24 00:01:05.680 --> 00:01:09.359 Understanding this helps anyone navigate well, the world we live 25 00:01:09.359 --> 00:01:11.760 in now, we want to turn all this info into 26 00:01:11.799 --> 00:01:13.560 something genuinely actionable for you. 27 00:01:14.079 --> 00:01:16.319 Okay, let's unpack it then, before we even talk about 28 00:01:16.319 --> 00:01:19.159 finding weaknesses, we kind of need to get the fundamentals 29 00:01:19.159 --> 00:01:22.599 of security down a bedrock. Really, yeah, the bedrock which 30 00:01:22.640 --> 00:01:24.799 starts with the CIA triad. 31 00:01:24.920 --> 00:01:29.319 Uh huh. Confidentiality, integrity, and availability not. 32 00:01:29.359 --> 00:01:32.079 The spies, ah right, not the spies. These are the 33 00:01:32.120 --> 00:01:36.280 three absolute critical tenets. So confidentiality, think of that like 34 00:01:36.359 --> 00:01:41.519 keeping a secret, right your bank password, only you should. 35 00:01:41.280 --> 00:01:42.280 Know it, simple enough. 36 00:01:42.680 --> 00:01:49.560 Then integrity, that's about trustworthiness. Accuracy if you send a 37 00:01:49.560 --> 00:01:53.040 message you wanted to arrive exactly a cent, no tampering 38 00:01:53.159 --> 00:01:55.640 makes sense. And availability is just well being able to 39 00:01:55.640 --> 00:01:57.680 get to your stuff when you need it, like logging 40 00:01:57.680 --> 00:01:59.959 into your online bank whenever you want, no disruption. 41 00:02:00.280 --> 00:02:03.519 It's amazing how simple they sound. But the attacks they 42 00:02:03.519 --> 00:02:07.359 can get really sophisticated. Oh so, like for confidentiality, well, 43 00:02:07.439 --> 00:02:12.159 for confidentiality, you've got packet sniffing, grabbing data off the network, 44 00:02:12.159 --> 00:02:17.080 password attacks, guessing, brute force. But often it's. 45 00:02:16.879 --> 00:02:19.759 The human element, a social engineering. 46 00:02:19.319 --> 00:02:22.759 Exactly, tricking people or phishing, you know those fake emails, 47 00:02:22.759 --> 00:02:24.759 trying to get you to give up info or trying 48 00:02:24.800 --> 00:02:25.759 to steal secrets. 49 00:02:25.879 --> 00:02:29.080 So it's not always super technical hacking. Good point. What 50 00:02:29.120 --> 00:02:31.319 about integrity? How do they mess with that? 51 00:02:31.400 --> 00:02:33.479 For integrity, there's the Salami attack. 52 00:02:33.520 --> 00:02:34.960 It's kind of clever slammy attack. 53 00:02:35.080 --> 00:02:39.360 Yeah, tiny slices, dividing an attack into minuscule changes, like 54 00:02:39.439 --> 00:02:42.360 fractions of ascent from lots of accounts, so it goes unnoticed. 55 00:02:42.439 --> 00:02:42.919 Wow. 56 00:02:43.240 --> 00:02:46.520 Then data diddling, changing data as it's going in and 57 00:02:46.639 --> 00:02:49.000 man in the middle attacks where they intercept and maybe 58 00:02:49.080 --> 00:02:52.080 altered data flying between two points. That can lead to 59 00:02:52.120 --> 00:02:53.680 session hijacking. 60 00:02:53.159 --> 00:02:55.439 Making over someone's logged in session precisely. 61 00:02:55.800 --> 00:02:59.120 And for availability, that's denial of service right, d DOS, 62 00:02:59.319 --> 00:03:02.639 that's the big one. Yeah, overwhelming a system so nobody 63 00:03:02.639 --> 00:03:06.960 can use it. Syn floods target the connection process specifically, 64 00:03:07.639 --> 00:03:12.759 But it's not just digital. Physical attacks, cutting power, messing 65 00:03:12.759 --> 00:03:18.120 with the server room's climate control. Even you know, natural disasters, floods, earthquakes, 66 00:03:18.560 --> 00:03:20.280 they take things down too, right. 67 00:03:20.199 --> 00:03:25.280 So it's not just firewalls. Mother nature can knock out availability. Okay, 68 00:03:25.759 --> 00:03:29.639 Beyond CIA, there's this sort of security dictionary for access control. 69 00:03:29.759 --> 00:03:31.360 Yeah, helps clarify the steps. 70 00:03:31.599 --> 00:03:34.800 It starts with identification, you claim who you are like 71 00:03:34.919 --> 00:03:40.280 typing username step one. Then authentication proving it password, maybe 72 00:03:40.280 --> 00:03:44.159 a token or biometrics like a fingerprint, something you have 73 00:03:44.400 --> 00:03:45.000 or are right. 74 00:03:45.080 --> 00:03:45.960 You gotta prove your you. 75 00:03:46.240 --> 00:03:49.360 Only then comes authorization. What do you actually allowed to 76 00:03:49.520 --> 00:03:50.159 do or see? 77 00:03:50.199 --> 00:03:53.719 Once you're authenticated your permissions Basically like that guest list analogy. 78 00:03:53.719 --> 00:03:56.479 You're in the party, but maybe not the VIP room exactly. 79 00:03:56.599 --> 00:03:58.800 And once you have access, someone needs to track what 80 00:03:58.879 --> 00:03:59.159 you do. 81 00:03:59.240 --> 00:04:02.199 That's auditing uh huh, logging actions, who did what when? 82 00:04:02.240 --> 00:04:04.560 It's for accountability, spotting weird stuff. 83 00:04:04.280 --> 00:04:06.560 And those logs feed into accounting. 84 00:04:06.719 --> 00:04:10.240 Yeah, basically tying actions back to a specific proven identity. 85 00:04:10.680 --> 00:04:13.400 And lastly, non repudiation. 86 00:04:13.360 --> 00:04:16.079 Making sure someone can't later deny they did something you got. 87 00:04:16.079 --> 00:04:19.560 It often involves things like digital signatures proof. 88 00:04:20.000 --> 00:04:23.360 Okay, so we have these core ideas. Now let's really 89 00:04:23.439 --> 00:04:28.120 nail down the terms we're assessing for vulnerability, threat risk. 90 00:04:28.800 --> 00:04:30.839 They get mixed up sometimes they definitely do. 91 00:04:30.959 --> 00:04:34.639 Okay. So a vulnerability is just a weakness. 92 00:04:34.240 --> 00:04:36.120 A flaw like a crack in a wall. 93 00:04:36.240 --> 00:04:41.319 Perfect analogy, weak password, unpatched app missing security setting. 94 00:04:41.439 --> 00:04:43.920 That's the vulnerability, okay, and a threat. 95 00:04:44.040 --> 00:04:47.120 A threat is anything that could cause harm by exploiting 96 00:04:47.120 --> 00:04:51.439 that weakness. It's the potential danger of virus, a power surge, 97 00:04:51.639 --> 00:04:53.040 even someone making a mistake. 98 00:04:53.120 --> 00:04:55.040 So the heavy rain hitting the cracked wall. 99 00:04:55.000 --> 00:04:58.519 Kind of yeah. An exposure is being susceptible to loss 100 00:04:58.519 --> 00:05:01.600 if that threat hits that vulnerabilit the potential for the flood. 101 00:05:01.680 --> 00:05:04.439 Sticking with your analogy, hasn't happened, but it could, which 102 00:05:04.480 --> 00:05:07.759 leads to risk, right. Risk is the actual likelihood that 103 00:05:07.759 --> 00:05:10.920 the threat will exploit the vulnerability and cause harm, often 104 00:05:10.959 --> 00:05:14.160 calculated as risk likelihood, impact. 105 00:05:13.879 --> 00:05:15.519 Likely at times impact it makes sense. 106 00:05:15.879 --> 00:05:19.720 And the fix that's a safeguard or countermeasure anything that 107 00:05:19.800 --> 00:05:23.560 reduces the vulnerability or mitigates the risk. Patching the crack in. 108 00:05:23.560 --> 00:05:26.120 The wall, and the path the attacker uses. 109 00:05:26.040 --> 00:05:28.199 That's the attack vector, the route they take. 110 00:05:28.319 --> 00:05:32.120 Okay, so the source summarizes it neatly. Assets are endangered 111 00:05:32.120 --> 00:05:35.759 by threats that exploit vulnerabilities, resulting in exposure, which is 112 00:05:35.759 --> 00:05:38.199 a risk that could be mitigated using safeguards. 113 00:05:38.279 --> 00:05:39.759 That ties it all together nicely. 114 00:05:40.000 --> 00:05:42.839 So what does this all mean for businesses? For organizations? 115 00:05:43.120 --> 00:05:46.920 Why poor resources into security assessments. Sounds like a lot 116 00:05:46.920 --> 00:05:47.319 of effort. 117 00:05:47.600 --> 00:05:51.519 Oh it is, but it's a business imperative. Several big reasons. First, 118 00:05:51.879 --> 00:05:57.600 regulatory compliance like IPA, PCIDSS exactly, Sarbanz Oxley too. They 119 00:05:57.600 --> 00:06:01.519 often require regular assessments, huge finds if you don't comply. Second, 120 00:06:01.839 --> 00:06:03.319 satisfying customer demands. 121 00:06:03.480 --> 00:06:05.519 Customers are asking for this now more and more. 122 00:06:05.600 --> 00:06:10.240 They want assurance, especially before signing big contracts. Third, response 123 00:06:10.319 --> 00:06:11.720 to incidents. 124 00:06:11.199 --> 00:06:13.439 Like want to cry that ransomware. 125 00:06:13.040 --> 00:06:16.079 Nightmare precisely a big attack often triggers a serious look 126 00:06:16.079 --> 00:06:20.240 at vulnerability management. Fourth, it's a competitive edge. If you 127 00:06:20.240 --> 00:06:22.600 can show you have a solid program, you look better 128 00:06:22.600 --> 00:06:26.040 than a competitor who doesn't. And finally, the most important 129 00:06:26.079 --> 00:06:28.439 one safeguarding critical infrastructure. 130 00:06:28.959 --> 00:06:31.360 Just doing the right thing to protect data and systems 131 00:06:31.439 --> 00:06:32.439 regardless of rules. 132 00:06:32.639 --> 00:06:34.160 That's the core driver really. 133 00:06:34.040 --> 00:06:36.879 And here's where it gets interesting for the being counters. 134 00:06:38.000 --> 00:06:43.279 Justifying the cost our source actually gives a simple ROI calculation. 135 00:06:42.879 --> 00:06:44.160 To turn on investment. Right. 136 00:06:44.360 --> 00:06:47.959 If a potential attack loss is say seventy five thousand dollars, 137 00:06:48.279 --> 00:06:51.480 and the program costs twenty five thousand dollars, the formula 138 00:06:51.639 --> 00:06:53.839 is gain cost one hundred cost. 139 00:06:53.800 --> 00:06:56.519 So seventy five K twenty five k, twenty five k. 140 00:06:56.480 --> 00:06:59.040 Which comes out to two hundred percent ROI. That's in 141 00:06:59.079 --> 00:07:02.480 a powerful argument. It reframes security not as just a cost, 142 00:07:02.480 --> 00:07:05.240 but has prevented loss an investment. 143 00:07:04.800 --> 00:07:07.680 And often that seventy five k is an underestimate considering 144 00:07:07.759 --> 00:07:09.600 reputational damage, legal fees. 145 00:07:09.759 --> 00:07:12.000 Good point. The real cost of a breach can be 146 00:07:12.040 --> 00:07:14.720 way higher, which underlines why getting buy in from the 147 00:07:14.759 --> 00:07:15.720 top is so vital. 148 00:07:15.879 --> 00:07:19.319 Absolutely. The source talks about two approaches for implementation, bottom 149 00:07:19.360 --> 00:07:21.600 up versus top down. Bottom up starts with the tech staff. 150 00:07:21.720 --> 00:07:25.120 Often ad hoc struggles long term without management support. 151 00:07:24.920 --> 00:07:27.000 Budget, you know, yeah, fizzles out. 152 00:07:27.000 --> 00:07:32.000 Maybe whereas top down is initiated, directed, governed by senior management, 153 00:07:32.480 --> 00:07:37.279 clear plan, budget resources, much higher chance of success. 154 00:07:37.680 --> 00:07:41.600 Makes sense though maybe bottom up can sometimes kickstart things, 155 00:07:41.720 --> 00:07:42.360 show the need. 156 00:07:42.639 --> 00:07:45.639 It can definitely serve as that proof of concept. Yeah, 157 00:07:45.879 --> 00:07:48.240 get the ball rolling to hopefully get that top down 158 00:07:48.240 --> 00:07:49.160 support eventually. 159 00:07:49.399 --> 00:07:54.480 What's managements driving? They use these governance documents right, policy standard. 160 00:07:54.199 --> 00:07:57.480 Right, there's a hierarchy. Policy is top level mandatory, like 161 00:07:57.560 --> 00:08:01.639 we will protect customer data. The standard sets an acceptable 162 00:08:01.720 --> 00:08:05.639 quality level. Maybe referencing specific tech. A procedure is the 163 00:08:05.680 --> 00:08:08.879 detailed steps the sop. Here's exactly how we do it, 164 00:08:09.000 --> 00:08:11.639 like a checklist pretty much, and a guideline is just 165 00:08:11.759 --> 00:08:15.439 recommendations best practices but not strictly mandatory. 166 00:08:15.519 --> 00:08:18.480 Okay, framework in place. Now, what about the actual testing? 167 00:08:18.519 --> 00:08:19.399 What kinds are there? 168 00:08:19.480 --> 00:08:23.399 Well? Security testing is the broad term making sure controls work, 169 00:08:23.519 --> 00:08:27.319 automated scans, manual checks. It's ongoing. But the key distinction 170 00:08:27.360 --> 00:08:31.560 people often ask about is vulnerability assessment VA versus penetration 171 00:08:31.680 --> 00:08:32.440 testing PT. 172 00:08:32.679 --> 00:08:33.559 Right, what's the difference. 173 00:08:33.840 --> 00:08:37.360 The source uses a great bank robbery analogy. A VA 174 00:08:37.480 --> 00:08:41.440 is like the robbers scouting the bank, tasing the joint exactly, 175 00:08:41.919 --> 00:08:46.200 noting the weak doors, single guard, no cameras. They're checking 176 00:08:46.240 --> 00:08:51.039 for vulnerabilities. PT is actually robbing the bank, exploiting those 177 00:08:51.080 --> 00:08:52.919 weaknesses to see if they can get in and get 178 00:08:52.960 --> 00:08:53.480 the loot. 179 00:08:53.720 --> 00:08:56.679 So VA finds the holes, PT tries to punch through them. 180 00:08:56.759 --> 00:08:58.440 You got it, and you really can't do a good 181 00:08:58.480 --> 00:08:59.919 PT without a thorough VA. 182 00:09:00.159 --> 00:09:02.200 First makes sense? Are there other types? 183 00:09:02.480 --> 00:09:08.159 Yeah? A security assessment is broader, more detailed, includes risk assessment, suggests, fixes, 184 00:09:08.600 --> 00:09:12.519 goes beyond just tools and a security audit is similar, 185 00:09:12.960 --> 00:09:15.240 but done by independent auditors. 186 00:09:14.720 --> 00:09:17.279 Like the big four firms ey Deloitte, YEP. 187 00:09:17.679 --> 00:09:21.480 The goal there is demonstrating security effectiveness to outsiders, getting 188 00:09:21.480 --> 00:09:22.879 that unbiased validation. 189 00:09:23.159 --> 00:09:26.000 Okay, now let's walk through the actual journey. What are 190 00:09:26.000 --> 00:09:28.759 the phases when a pro does a VA. It's not 191 00:09:28.799 --> 00:09:30.080 just running a scanner. 192 00:09:29.720 --> 00:09:32.480 Is it not at all? It's very methodical. Phase one 193 00:09:32.639 --> 00:09:36.559 is prerequisites, the groundwork. This is critical. Honestly, assessments can 194 00:09:36.600 --> 00:09:38.440 fail right here if you don't get this right. It's 195 00:09:38.440 --> 00:09:42.600 involved first target scoping and planning. This needs your input. 196 00:09:42.840 --> 00:09:48.240 What exactly are we testing? List the critical assets web servers, databases, suore, 197 00:09:48.360 --> 00:09:53.399 but also printers, smart TVs, IP cameras, things people forget. 198 00:09:53.120 --> 00:09:54.799 Oh right, those connected devices, and. 199 00:09:54.759 --> 00:09:59.279 Then gathering requirements checklists, figuring out suitable testing times you 200 00:09:59.320 --> 00:10:03.799 don't want to craft production systems midday. Identifying all stakeholders 201 00:10:03.799 --> 00:10:07.960 as key to who's usually involved exact management, IT security team, 202 00:10:08.159 --> 00:10:11.759 the VA lead tester obviously, the asset owners, maybe third 203 00:10:11.799 --> 00:10:14.080 party providers, even end users. Sometimes. 204 00:10:14.159 --> 00:10:15.840 Then you decide the type of VA right. 205 00:10:16.039 --> 00:10:19.799 Location based external from the Internet like an outside attacker, 206 00:10:20.000 --> 00:10:24.039 versus internal from inside the network like a disprintled employee okay, 207 00:10:24.200 --> 00:10:28.519 knowledge based black box zero prior knowledge simulates an external hacker, 208 00:10:28.600 --> 00:10:32.720 takes longer, White box full knowledge. Source code diagram simulates 209 00:10:32.720 --> 00:10:36.039 an insider and gray box partial knowledge somewhere in between. 210 00:10:35.840 --> 00:10:38.120 Black, white, gray got it any. 211 00:10:37.919 --> 00:10:42.679 Others Yeah, announced or unannounced. Automated scans fast but prone 212 00:10:42.720 --> 00:10:46.919 to false positives, misdesigned flaws versus manual testing. Expert driven 213 00:10:47.240 --> 00:10:52.360 better findings, but slower, costlier. Also authenticated with logins versus 214 00:10:52.480 --> 00:10:55.799 unauthenticated scans and agent lists versus agent based. 215 00:10:55.600 --> 00:10:59.639 Scans, lots of choices. This all leads to estimating resources. 216 00:10:59.240 --> 00:11:04.080 YEP, estimating resources and deliverables, man hours, tools needed, and 217 00:11:04.159 --> 00:11:07.879 crucially adding time padding maybe twenty percent cuting for what 218 00:11:08.240 --> 00:11:11.960 things go wrong. Network devices might block your scans, systems 219 00:11:12.039 --> 00:11:14.639 might not respond, a scan might accidentally crash, a service 220 00:11:15.039 --> 00:11:18.039 user IDs might get locked out. You need buffer time 221 00:11:18.360 --> 00:11:20.639 Murphy's law, and you formalize it in a test plan 222 00:11:20.759 --> 00:11:24.919 or statement of work, SOW scope, methods, rules of engagement, liability. 223 00:11:25.039 --> 00:11:26.080 It's all spelled. 224 00:11:25.759 --> 00:11:28.159 Out and the final critical step. 225 00:11:28.120 --> 00:11:32.960 Getting approval and signing MDAs Non disclosure agreements absolutely vital 226 00:11:33.039 --> 00:11:34.960 to protect your sensitive information during the. 227 00:11:34.919 --> 00:11:39.080 Test okay, groundwork done. Phase two information gathering, sharpening the. 228 00:11:39.039 --> 00:11:41.440 Acts exactly like that link and quote. Spend most of 229 00:11:41.480 --> 00:11:44.559 the time preparing This phase is crucial detective. 230 00:11:44.159 --> 00:11:46.720 Work passive versus active gathering right correct. 231 00:11:47.120 --> 00:11:51.600 Passive means no direct contact using public sources. Think showed 232 00:11:51.639 --> 00:11:56.000 in for finding Internet connected devices, multi go for mapping relationships, 233 00:11:56.039 --> 00:11:59.279 the harvester for emails. You're not touching the target directly. 234 00:11:59.360 --> 00:12:04.080 You stay in an active does involve direct contact. Using 235 00:12:04.120 --> 00:12:07.399 tools to probe the target, like port scanners or network 236 00:12:07.399 --> 00:12:11.000 mapping tools. You get more info, leave footprints they might 237 00:12:11.039 --> 00:12:11.639 detect you. 238 00:12:11.720 --> 00:12:16.399 Sharpen the acts. Now. Phase three enumeration and vulnerability assessment. 239 00:12:16.519 --> 00:12:17.559 Precision targeting. 240 00:12:17.840 --> 00:12:21.360 Getting specific right enumeration is about digging into the services 241 00:12:21.399 --> 00:12:23.960 running on the ports. You found, what version of web server? 242 00:12:24.080 --> 00:12:27.559 What type of FTP server? Getting those details using tools 243 00:12:27.639 --> 00:12:28.240 like nmap. 244 00:12:28.360 --> 00:12:30.879 Why are the specific versions so important. 245 00:12:30.639 --> 00:12:34.639 Because vulnerabilities are often version specific. Knowing the exact version 246 00:12:34.720 --> 00:12:37.799 lets you look up known exploits, which. 247 00:12:37.639 --> 00:12:40.240 Leads to the actual vulnerability assessment YEP. 248 00:12:40.399 --> 00:12:43.080 Now you bring in specialized VA tools like open vas, 249 00:12:43.159 --> 00:12:46.440 for instance. They probe those enumerated services, check them against 250 00:12:46.559 --> 00:12:50.039 databases of known vulnerabilities and generate reports detailing the findings, 251 00:12:50.120 --> 00:12:53.279 usually with severity levels critical, high, medium, low. 252 00:12:53.559 --> 00:12:56.919 Now we're finding the actual cracks, which brings us to 253 00:12:56.919 --> 00:13:02.480 phase four, gaining network access. The break in the part everyone. 254 00:13:02.200 --> 00:13:05.440 Thinks of This is where the exploitation happens. Could be 255 00:13:05.639 --> 00:13:09.159 gaining remote access directly, or maybe tricking a user into 256 00:13:09.200 --> 00:13:12.039 running a payload that connects back to the attacker. Password 257 00:13:12.039 --> 00:13:13.200 cracking is a big one. 258 00:13:13.200 --> 00:13:16.000 Dictionary attacks brute force, yeah. 259 00:13:16.360 --> 00:13:20.559 Using word lists trying every combination. Also rainbow tables for 260 00:13:20.600 --> 00:13:24.519 cracking hashed passwords, though salting adding random data to passwords 261 00:13:24.559 --> 00:13:27.559 before hashing makes them less effective. Now Yeah tools can 262 00:13:27.600 --> 00:13:30.679 help identify the hash type first, like figuring out. 263 00:13:30.519 --> 00:13:32.799 The lock before making the key. What else? 264 00:13:33.080 --> 00:13:37.120 Attackers might create backdoors, patching legitimate files with malicious code, 265 00:13:37.480 --> 00:13:41.600 or exploit remote services directly using frameworks like metasploit, targeting 266 00:13:41.600 --> 00:13:44.840 known flaws in specific software versions to gain control a shell. 267 00:13:45.519 --> 00:13:48.720 Even routers and other embedded devices can be hacked, which. 268 00:13:48.559 --> 00:13:51.480 Brings up that human element again. How do attackers get 269 00:13:51.559 --> 00:13:52.480 us to help them? 270 00:13:52.600 --> 00:13:57.480 Social engineering using toolkits like the Social Engineering Toolkit SAT 271 00:13:58.120 --> 00:14:01.919 to craft believable phishing emails fake websites. The goal is 272 00:14:01.960 --> 00:14:04.080 to trick a victim into clicking a link or opening 273 00:14:04.120 --> 00:14:07.919 a file that executes malware, giving the attacker that reverse connection. 274 00:14:08.360 --> 00:14:11.120 It often bypasses technical defenses entirely. 275 00:14:11.279 --> 00:14:15.840 The human firewall feeling scary okay? Phase five assessing web 276 00:14:15.840 --> 00:14:19.440 application security the Achilles heel. So much of what you 277 00:14:19.519 --> 00:14:21.159 do online involves web. 278 00:14:21.000 --> 00:14:25.519 Apps absolutely critical banking, shopping, email. A single web bat 279 00:14:25.559 --> 00:14:29.159 flaw can be disastrous, and crucially, automated scanners alone are 280 00:14:29.240 --> 00:14:31.840 enough here Why now they missed design flaws problems in 281 00:14:31.879 --> 00:14:35.320 the business logic? You need manual testing too often starts 282 00:14:35.360 --> 00:14:39.080 with application profiling, figuring out which apps are most critical. 283 00:14:38.720 --> 00:14:41.519 And then you test against common weaknesses like the OOS 284 00:14:41.559 --> 00:14:42.159 PAP ten. 285 00:14:42.240 --> 00:14:46.120 Exactly, things like authentication or credential sense securely, our error 286 00:14:46.120 --> 00:14:49.200 message is generic? Is there a strong password policy? Maps 287 00:14:49.200 --> 00:14:52.799 to OOS? A two? Broken authentication and authorization testing. If 288 00:14:52.879 --> 00:14:57.240 users can bypass controls access things they shouldn't, maybe escalate privileges. 289 00:14:57.440 --> 00:14:59.919 That's a five broken access control? 290 00:15:00.120 --> 00:15:01.639 What else is key? For web apps? 291 00:15:01.759 --> 00:15:05.759 Session management, secure cookies, preventing things like cross site request 292 00:15:05.799 --> 00:15:09.759 forgery CSRF, where an attacker tricks your browser into doing 293 00:15:09.759 --> 00:15:13.559 something unwanted and a huge one. Input validation checking what 294 00:15:13.679 --> 00:15:16.639 users type into forms yes, both on the client site, 295 00:15:16.639 --> 00:15:19.320 in the browser, and crucially on the server side. This 296 00:15:19.360 --> 00:15:23.759 prevents things like cross site scripting XSS SQL injection. So 297 00:15:23.799 --> 00:15:27.399 many big vulnerabilities stem from bad input validation. It maps 298 00:15:27.440 --> 00:15:31.360 to several OASP points like injection and XSS. 299 00:15:30.879 --> 00:15:33.080 So double checking inputs is vital absolutely. 300 00:15:33.559 --> 00:15:38.000 Then there's security misconfiguration harding the servers, disabling defaults, proper 301 00:15:38.120 --> 00:15:41.039 error handling that's A six, and business logic. 302 00:15:40.840 --> 00:15:42.600 Flaws the ones scanners can't find. 303 00:15:42.720 --> 00:15:46.120 Right means manual testing, understanding the workflow like that e 304 00:15:46.159 --> 00:15:48.600 commerce example where you could tamper with the payment amount. 305 00:15:48.840 --> 00:15:51.440 Also auditing and logging a ten, tracking who does what 306 00:15:51.519 --> 00:15:54.559 in the app and cryptography A three. Using strong encryption 307 00:15:54.679 --> 00:15:59.600 for data valid SSLTLS certificates. Tools like OSPSTA or burp 308 00:15:59.679 --> 00:16:00.879 suite help test all this. 309 00:16:01.279 --> 00:16:04.480 Okay, web apps covered. What if an attacker gets initial 310 00:16:04.519 --> 00:16:07.919 access but it's just a regular user account. Phase six 311 00:16:09.159 --> 00:16:11.039 privilege escalation the inside. 312 00:16:10.720 --> 00:16:15.039 Job right gaining higher privileges. Operating systems have these protection rings. 313 00:16:15.480 --> 00:16:18.720 Ring zero is the kernel super powerful. Ring three is 314 00:16:18.840 --> 00:16:22.799 user applications least powerful. Escalation is about moving up. 315 00:16:22.759 --> 00:16:24.840 And there are two types, horizontal and vertical. 316 00:16:25.039 --> 00:16:27.879 Yeah, horizontal is accessing data if someone at the same 317 00:16:27.960 --> 00:16:30.600 level like a coworker. Vertical is going up a normal 318 00:16:30.679 --> 00:16:34.039 user gaining admin or root privileges. That's the bigger goal, 319 00:16:34.159 --> 00:16:37.639 usually getting the keys to the kingdom exactly, exploiting system 320 00:16:37.679 --> 00:16:41.559 flaws kernel bugs. There are various techniques. 321 00:16:41.200 --> 00:16:44.759 Once they're in with high privileges Phase seven maintaining access 322 00:16:44.799 --> 00:16:47.879 and clearing tracks the covert operator staying hidden. 323 00:16:48.320 --> 00:16:51.840 Maintaining access means setting up persistence ways to get back 324 00:16:51.840 --> 00:16:54.519 in easily even if the system reboots, like leaving. 325 00:16:54.240 --> 00:16:56.679 A backdoor and covering their tracks, clearing. 326 00:16:56.399 --> 00:17:01.080 Tracks and trails, deleting logs, clearing command history, erasing the evidence. 327 00:17:01.159 --> 00:17:04.119 They might even use anti forensics techniques like changing file 328 00:17:04.200 --> 00:17:07.720 time stamps with tools like timestomp to confuse any investigation later. 329 00:17:08.000 --> 00:17:11.079 Wow, Okay, so the assessment finds all these potential issues, 330 00:17:11.279 --> 00:17:13.240 but finding them is only half the story, right. 331 00:17:13.400 --> 00:17:16.839 What happens next crucial point? You need to manage and 332 00:17:16.920 --> 00:17:21.160 act on the findings. First step scoring, you get a 333 00:17:21.200 --> 00:17:23.400 list of vulnerabilities you need to prioritize. 334 00:17:23.680 --> 00:17:25.799 Not all vulnes are created equal exactly. 335 00:17:25.880 --> 00:17:29.279 That's where the Common Vulnerability Scoring System CBSS comes in. 336 00:17:29.559 --> 00:17:33.119 That's a standard, open way to score vulnerabilities based on 337 00:17:33.200 --> 00:17:36.759 specific characteristics. It gives you a consistent numerical score. 338 00:17:36.640 --> 00:17:38.079 And it considers lots of factors. 339 00:17:38.200 --> 00:17:40.839 It does the base metrics look at the vulnerability itself, 340 00:17:41.160 --> 00:17:47.039 exploitability factors like attack vector, network, local attack complexity easy, hard, 341 00:17:47.519 --> 00:17:52.480 privileges required none, admin user interaction needed, not needed. Scope 342 00:17:52.799 --> 00:17:54.799 affects just this component or others too? 343 00:17:54.880 --> 00:17:56.759 Okay? How easy is it to exploit? Right? 344 00:17:56.920 --> 00:18:01.400 And then impact metrics, confidentiality, integrity, availability, How bad is 345 00:18:01.440 --> 00:18:03.839 the damage if it is exploited. You plug these into 346 00:18:03.880 --> 00:18:05.960 a calculator, get a score from zero to ten and 347 00:18:06.000 --> 00:18:08.000 that maps to low, medium, high critical. 348 00:18:08.240 --> 00:18:11.359 So CBSS gives you that priority list, but you also 349 00:18:11.440 --> 00:18:12.599 need proactive. 350 00:18:12.119 --> 00:18:15.759 Defense definitely threat modeling. This is about thinking like an 351 00:18:15.759 --> 00:18:19.599 attacker before you even build something ideally during the design phase. 352 00:18:19.599 --> 00:18:21.720 Like designing the fort to withstand attacks from the. 353 00:18:21.680 --> 00:18:25.359 Start, perfect analogy. It helps build security in leagues to 354 00:18:25.359 --> 00:18:29.839 structured discussions, finds flaws early, reduces the attack surface. 355 00:18:30.400 --> 00:18:32.599 Lots of benefits and there are methodologies for this. 356 00:18:32.839 --> 00:18:38.839 Stride and dread Yeah, Stride helps identify threat types spoofing, tampering, repudiation, 357 00:18:39.319 --> 00:18:44.680 information disclosure, denial of service, elevation of privileges. Dread helps 358 00:18:44.759 --> 00:18:48.960 rate the threats you find, damage, reproducibility, exploitability, affected users 359 00:18:49.000 --> 00:18:52.400 discoverability gives them a risk. Grating tools can help automate 360 00:18:52.440 --> 00:18:52.960 parts of this. 361 00:18:53.160 --> 00:18:55.599 Building securely, finding flaws early. Then there's the. 362 00:18:55.599 --> 00:18:59.400 Ongoing work catching and hardening. Patching is just applying updates 363 00:18:59.400 --> 00:19:04.000 to fix and now vulnerabilities. Think Microsoft's patch Tuesday. Tools 364 00:19:04.000 --> 00:19:06.279 can check if systems are up to date and hardening. 365 00:19:06.400 --> 00:19:10.440 That's configuring the underlying systems securely, web servers, databases, the 366 00:19:10.480 --> 00:19:15.119 OS itself using guidelines like the CIS benchmarks industry best 367 00:19:15.160 --> 00:19:17.000 practices for secure configurations. 368 00:19:17.160 --> 00:19:20.039 Block everything down and finally telling people what you found 369 00:19:20.039 --> 00:19:20.759 of what's being done. 370 00:19:20.960 --> 00:19:25.200 Reporting and metrics crucial. You need clear reports tailored to 371 00:19:25.240 --> 00:19:29.880 the audience, executive reports for management, high level summary, key risks, progress, 372 00:19:30.319 --> 00:19:33.559 detailed technical reports for the IT team specifics how to 373 00:19:33.599 --> 00:19:36.640 fix it. Proof of concept tools like DRAWTIS or Faraday 374 00:19:36.720 --> 00:19:37.680 help manage. 375 00:19:37.359 --> 00:19:40.160 This and measuring success. How do you know if the 376 00:19:40.160 --> 00:19:41.000 program is working? 377 00:19:41.119 --> 00:19:45.400 Key metrics things like meantime to detect MTTD. How fast 378 00:19:45.440 --> 00:19:49.279 do we find vulmes meantime to resolve MTTR? How fast 379 00:19:49.279 --> 00:19:51.759 do we fix them? Scanner coverage are we scanning everything 380 00:19:51.759 --> 00:19:55.240 we should? Vulnerability reopen rate? Are fixes actually sticking? 381 00:19:55.359 --> 00:19:55.759 What else? 382 00:19:56.160 --> 00:19:58.759 Number of exceptions granted? How many known vonnes aren't being 383 00:19:58.799 --> 00:20:02.000 fixed and why? Percentage of systems with no open high 384 00:20:02.039 --> 00:20:05.440 critical volns big one for execs and vulnerability aging. How 385 00:20:05.519 --> 00:20:07.039 long are vlones sitting unfixed? 386 00:20:07.119 --> 00:20:11.960 So a continuous cycle of find, prioritize, fix, measure report. 387 00:20:12.119 --> 00:20:14.279 That's vulnerability management in a nutshell. 388 00:20:14.680 --> 00:20:17.480 Few Okay, so you've just taken a really deep dive 389 00:20:17.559 --> 00:20:23.200 into network vulnerability assessment from the core ideas like CIA, 390 00:20:23.400 --> 00:20:26.960 through all those phases gathering info, testing, exploiting, and then 391 00:20:27.160 --> 00:20:31.279 the critical follow up like scoring, modeling, patching, reporting. You 392 00:20:31.319 --> 00:20:34.319 should now have a much more solid handle on digital security. 393 00:20:34.599 --> 00:20:37.119 Yeah, and understanding this isn't just technical jerk, and it's 394 00:20:37.160 --> 00:20:40.559 really about appreciating the continuous effort involved in keeping things 395 00:20:40.640 --> 00:20:44.359 safe online. It hopefully lets you ask better questions, think 396 00:20:44.440 --> 00:20:47.759 more critically about the security of your own devices, your data, 397 00:20:47.839 --> 00:20:49.000 the services you use. 398 00:20:49.480 --> 00:20:51.079 So what really stands out to you from all this 399 00:20:51.720 --> 00:20:54.079 maybe it's just how meticulous the planning has to be, 400 00:20:54.720 --> 00:20:57.640 or how often that human element social engineering is the 401 00:20:57.640 --> 00:21:01.480